UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Juniper router must be configured to drop all fragmented Internet Control Message Protocol (ICMP) packets destined to itself.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254011 JUEX-RT-000390 SV-254011r997525_rule Medium
Description
Fragmented ICMP packets can be generated by hackers for denial-of-service (DoS) attacks such as Ping O' Death and Teardrop. It is imperative that all fragmented ICMP packets are dropped.
STIG Date
Juniper EX Series Switches Router Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-57463r844064_chk )
Review the firewall filter for the router receive path. Firewall filters applied to the loopback interface affects traffic destined for the Route Engine (RE) regardless of ingress interface. Individual firewall filters are also supported on each ingress interface.
Note: Verify the firewall filter applied to the loopback interface addresses all traffic destined for the RE (e.g., BGP, OSPF, etc.).

Verify that it will drop all fragmented ICMP packets destined to itself. For example:
[edit policy-options]
prefix-list router-addresses-ipv4 {
/32;
;
}
[edit firewall family inet]
filter protect_re {
term 1 {
from {
destination-prefix-list {
router-addresses-ipv4;
}
is-fragment;
protocol icmp;
}
then {
log;
syslog;
discard;
}
}

}
[edit interfaces lo0 unit 0]
family inet {
filter {
input protect_re;
}
address /32;
}

Note: Some Juniper devices support both monolithic filters and filter lists. Filter lists separate each term, or set of terms, into a separate filter that is applied sequentially to an interface. If using filter lists, the keywords "input" or "output" change to "input-list" or "output-list". Verify the final list item is a deny-all filter. The deny-all filter is created once per family and can be reused across multiple lists. For example:

input-list [ permit_mgt permit_routing_protocols default-deny ];

If the router is not configured with a receive-path filter to drop all fragmented ICMP packets, this is a finding.

Note: If the platform does not support the receive path filter, verify that all layer 3 interfaces have an ingress filter to control what packets are allowed to be destined to the router for processing.
Fix Text (F-57414r844065_fix)
Ensure all routers have their receive path filter configured to drop all fragmented ICMP packets.

set policy-options prefix-list router-addresses-ipv4 /32
set firewall family inet filter protect_re term 1 from destination-prefix-list router-addresses-ipv4
set firewall family inet filter protect_re term 1 from protocol icmp
set firewall family inet filter protect_re term 1 from is-fragment
set firewall family inet filter protect_re term 1 then log
set firewall family inet filter protect_re term 1 then syslog
set firewall family inet filter protect_re term 1 then discard


set interfaces lo0 unit 0 family inet filter input protect_re